Transcript WHAT IS A FIREWALL

FIREWALLS
BY
ARCHANA ANNAMANENI
WHAT IS A FIREWALL
• Firewalls are used to create security checkpoints at the
boundaries of private networks.By providing the routing
function between the private network and the internet.
• Firewalls inspect all communications passing between the
two networks and either pass or drop the communications
depending on how they match the programmed policy
rules.
• If the firewall is properly configured and contains no
serious exploitable bugs, that network will be as free risk as
possible.
FIREWALL COMPONENTS
•
•
The following are the two basic methods used to create a
network firewall.
All other techniques are simply variations on these two basic
methods.
 Packet Filtering
Rejects TCP/IP packets from unauthorized hosts and rejects
connection attempts to unauthorized services.
 Application Gateway
An application gateway is a software program that runs on the firewall
to intercept traffic for a specific kind of a application.
 Other Firewall Components
In the above methods , each method has its strengths and weaknesses.
The other components of firewall are to combine the above two
methods and to come up with a more secure firewall solution.
e.g. Bastion host and DMZ
Types Of Attack
 Denial-of-service Attacks:
The goal of the attacker is usually one of the following
•
•
•
Overload a limited resource
Crash a network device or host computer
Reconfigure a resource to render it useless
 SYN Flooding
• SYN flag field in the TCP header is used to start a connection
request.
•
The ACK flag field is used to acknowledge a packet.
•
If the sender of the initial connection request uses a spoofed IP
address in its first packet as the source address, then the
destination host tries to send an acknowledgement , but it
never gets back to source host, and the connection eventually
times out , and destination host releases the memory used by
the connection.
• The above is the method used to cause a SYN flood .
• The attacking host keeps sending connection request
messages with a source IP address that is unreachable
or does not exist.
 IP Spoofing
• Spoofing means malicious user can send out packets
with a source address of the user’s choosing.
• This means that firewall might receive packets that it
thinks coming from a trusted host computer or network
but that in fact are being generated by someone who
wants to get data inside once local network.
ICMP Redirect
•
A field in each ICMP packet defines the message type
•
Routers make use of one of the ICMP functions to tell another
router that they know a better path to destination.And this is
done by using redirect message type.And this message type
can be exploited by hackers to cause problems.
•
To prevent this firewall should block all the incoming ICMP
redirect messages
 OS CONCERNS
•
A firewall does not have to run on the same operating system as
the desktop or servers
•
Firewall should be based on the features it offers to enforce the
security policy requirements of one’s own network
•
The second important factor in choosing a firewall is OS
familiarity.
•
That is the administrator should be familiar with the user interface
and should know how to configure the firewall correctly.
 What A Firewall Can Do
•
•
•
•
Protection from insecure protocols and services
Keeps information about users, systems, network addresses
Provides audit trails(via log files)containing security and
statistical data that can be used to ensure that the network is safe
and operating in an efficient manner
Provides centralized management of network security as it relates
to the outside world.
 What A Firewall Cannot Protect Network From
•
•
•
•
•
Viruses
Trojan Horses
Social engineering
Incompetence
Insider attacks
Packet Filtering
•
Packet Filters are the first kind of firewall developed to protect a
network from the internet.
•
Routers are configured to allow or deny packets from passing through
based on rules created by the network administrator.
•
When a computer on the network needs to send a packet to a computer
that sits on different network, it sends the packet to router’s address
and lets the router determine the best method for delivering the
information to its final destination.The router makes these decisions
depending on addressing information it finds in the packet’s header.
•
A screening router is a router that has been configured with a set of
rules that specify which kinds of network traffic are allowed to come in
through, or go out through.
•
That is after the router has decided that it can deliver the packet, it then
consults a set of rules that tell it whether it should route the packet .
There are two primary types of packet filtering
• Stateless packet filtering
• Stateful inspection packet filters
 Stateless packet filtering
Packet filters are border routers that increase security by
determining whether or not to forward a packet based on
information contained in the header of every individual packet.
Usually most filters are configured to use the following data fields
•
•
•
•
•
Protocol type
IP address
TCP/UDP port
Fragment number
Source routing information
 Protocol Filtering
• Protocol filtering filters packets based on the content of the IP protocol
field
• For example, if a organization has a single purpose server serving a TCP
based service like HTTP,then we can filter out all the UDP services
 IP address filtering
•
IP address filtering allows, to limit connections to(or from)specific hosts and
networks based on their IP address
 Port filtering
•
•
Instead of having to permit or deny packets based only on their source or
destination address-and thereby allow or disallow all communications-it is
possible to selectively allow or disallow individual services, depending on
the port number.
For example one might not want to allow their users to Telnet to a remote
host computer(or vice versa), but they might not care if they exchange
files via anonymous FTP sessions.
The following are sample rules to allow incoming and outgoing SMTP
connections so that email can be delivered
Rule Direction
Protocol
Saddress
Daddress
TCP
TCP
TCP
TCP
*
external
internal
internal
external
*
internal
external
external
internal
*
Dest.port
Action
1
2
3
4
5
Inbound
outbound
outbound
Inbound
*
•
The above rules looks like few good rules that will keep the internal
LAN safe while allowing SMTP connections in both directions
If we look at the rules 2 and 4 together they allow a connection ,
either inbound or outbound ,for any service that uses ports that are
greater than 1023.
This hole can be used by hackers to communicate with a Trojan
horse program.
•
•
25
allow
>=1024 allow
25
allow
>=1024
allow
*
disallow
To fix this set of rules , we need to specify the source port in addition
to the destination port.
Rule Direction Protocol Saddress Daddress Sou.port Dest.port
1
2
3
4
5
Inbound
outbound
outbound
Inbound
*
TCP
TCP
TCP
TCP
*
external
internal
internal
external
*
internal >=1024
external 25
external >=1024
internal 25
*
Action
25
allow
>=1024 allow
25
allow
>=1024
allow
*
disallow
In the above set of rules, rules 2 and 4 no longer allow a
connection between two ports that are greater than 1023. Instead,
those connections must be tied , at one end of the connection, to
the SMTP port number of 25.
Filtering On Other Information
Source Routing
•
•
•
•
Source routing is the process of defining the exact route a packet must
take between hosts in an IP connection
It was developed for such uses as debugging network problems and
other maintenance chores
But this feature can be easily exploited by hacker, because a hacker can
put any address in the source filed and still ensure the packet will return
by specifying their own machine address in the source route
Firewalls should be configured to drop all packets that have the source
routing option turned on.
 Fragmentation:
•
Fragmentation give any router in the path between two hosts the
ability to chop up an inbound IP packet into multiple packets and
then forward them on size-constrained networks.
•
The problem with fragmentation is that most useful filter data ,the
TCP or UDP port number ,is only provided in the beginning of an
IP packet, so it will only be contained in fragment 0.So most early
filters simply forward all subsequent fragments with the
assumption that if the 0 packet had been dropped , the
subsequent packets be worthless.
•
Many TCP/IP versions running on internal hosts used to assemble
the packets if the 1 through n packets contained a valid TCP
packet,this means that a hacker could modify his IP stack to start
all fragment numbers at 1 and effectively bypass the filter
altogether.
 Stateful inspection packet filters
•
The problem with stateless packet filtering is that ,it makes
decisions on a packet-by-packet basis and the administrator can
not create rules which can filter packets based on relationship
between one packet and another
•
Stateful packet filters solve this problem by retaining the state of
all the communication flowing through the firewall in memory, and
using that remembered state to determine whether or not
individual packets should be dropped.
•
When a trusted host connects to a TCP socket on an external
untrusted host ,it transmits the packets including the IP
address and port on which it expects to receive a response.
•
When that packet is routed through the stateful inspection
filter, the filter makes an entry in it’s state table containing the
destination socket and the response socket, and then forwards
the packet onto the untrusted network.
•
When the response comes back, the filter can simply look up
the packet’s source and destination sockets in its state
table,see that they match an expected response, and pass the
packet.
•
If no table entry exists, the packet is dropped because it was
not requested from inside the network.
 Advantages
• Packet filtering is “free”.If an organization already have a
router, it probably supports packet filtering.On a small LAN a
single router can be sufficient for use as a packet filter.
• No need to train users or use any special client or server
programs to implement packet filters. The screening router or
packet filtering host transparently does all the work to the
clients in the network.
 Disadvantages
• Routers can be difficult to configure, especially if one try using
complex configuration with a large number of rules.
• When a packet filter fails, or is not configured correctly, the
damage that might be done to the network could be much
worse than when a proxy server fails.
• Packet filters work on a small set of data- the header
information in the IP packet.As a result packet filter is limited in
the decisions it can make.
• Many packet-filtering routers lack robust logging capabilities,
so it is difficult to get a lot of helpful information when a system
has been infiltrated or attacked.
IP Header Information
 Application Gateways And Proxy Servers
•
Packet filters work at the network transport layer by inspecting
IP and other protocol header information.
•
Where as proxy servers work at the application layer and can
be used to provide a variety of services to the network
•
An application gateway or application proxy is a software
program that runs on the firewall to intercept traffic for specific
kind of application.
•
The proxy software intercepts user requests from the local
LAN, and then makes a connection to the server residing
outside local LAN on behalf user.
•
That is an application proxy program acts as middle man
Using Proxy Servers
10.10.10.123
workstation
10.10.10.250
140.176.60.69
Proxy Server
Web page request
from workstation
to web server on
The internet
web page response
sent from proxy server
to workstation that
requested it
Internet
web page request
from proxy server
to web server on
internet
web page response
sent to proxy
sever that
requested it
IP packets blocked here
by non routing dual-host
proxy server
•
In addition to blocking IP traffic , we can also use the proxy
server to perform certain checks based on the type of request
and on the content of the data returned
•
Need separate proxy server application for each kind of
network service
•
Proxy servers can work in both directions
•
Proxy server can also control which users on the network are
allowed to make Internet requests and can also decide which
external users or hosts are allowed to send requests to servers
inside the network
•
Either way , no IP packets get passed between the two
networks , and we can allow or deny requests by configuring a
set of rules.
There are two basic kind of proxies
• Classical Proxies
• Transparent Proxies
 Classical Proxies
These proxies are the first kind that were developed
• It makes the client end of the connection authenticate itself to
the proxy before the proxy begins relaying data back and forth
• The problem with this kind of proxy is that it involves extra
work by the client
 Transparent Proxies
• A transparent proxy , from the user’s point of view ,works just
like a direct connection
Designing The Firewall System
•
When establishing an Internet firewall,an organization need to
consider the following:
•
Deciding the security policy that is intended to implement.
•
Then should decide the basic architecture of the firewall which
satisfies their security policy
•
There are two classes of firewall architectures, which are single
layer and the multiple layer architectures.
Single layer Architecture
 In a single layer architecture one network
host is allocated all firewall functions and is
connected to each network for which it is to
control access.
 This approach is usually chosen when
containing cost is a primary factor or when
there are only two networks to interconnect.
 It has the advantage that everything there is
to know about the firewall resides on that
one host.
 In cases where the policy to be
implemented is simple and there are few
networks being interconnected, this
approach can also be very cost-effective to
operate and maintain over time.
 The greatest disadvantage of the single
layer approach is its susceptibility to
implementation flaws or configuration errors
— depending on the type, a single flaw or
error might allow firewall penetration.
Multi Layer Architecture
 In a multiple layer architecture
the firewall functions are
distributed among a small number
of hosts, typically connected in
series
 This approach is more difficult to
design and operate, but can
provide substantially greater
security by diversifying the
defenses we are implementing.
 Although more costly, it is
advisable using different
technology in each of these
firewall hosts.
 This reduces the risk that the
same implementation flaws or
configuration errors will exist in
every layer.
References
Practical Firewalls by Terry William Ogletree
Firewalls by Matthew Strebe
Charles Perkins
http://www.cert.org/security-improvement/practices/p053.html